0

Lets say i host and serve my Angular with Firebase Hosting, and use the Angular'services to call API to my Firebase Functions, Firestore and Firebase Authentication.

I would like to know is there a chance that the codes or processed data in Angular got a chance to leak:

1) If I hardcoded my API key in the services, will it be a security breach to leak my API key?

2) The data that get from Firestore to Angular Services, and the data processed in Services, are they processed in server side or client side?

Thank you.

Renaud Tarnec
  • 79,263
  • 10
  • 95
  • 121
Jerry
  • 1,455
  • 1
  • 18
  • 39

1 Answers1

2

Answer to Question 1/ Your API keys will be "public", but it is not a problem, see this "famous" answer Is it safe to expose Firebase apiKey to the public?. So no "security breach".

Answer to Question 2/ Your Angular services are executed on the client side, so the data you get from Firestore is processed on the client side. The role of Firebase Hosting is only to send your Angular files up to the client when they are needed (i.e. requested by the client).

This means that you should probably add some security rules to your Firestore database (and build your queries accordingly) in order to sent to the client only the data he/she can read. Those Security rules are the Authorization part of the Authentication/Authorization mechanism, while Firebase Authentication would be the first part. You can read the documentation about Firestore Security rules here (note that they are something totally different than you API keys), and about Firebase Authentication here.

Finally, note that, with Firebase, the only part of your code that runs in the back-end (i.e. server side) is the code you write for Cloud Functions. So, if you call, from your Angular application, a Cloud Function (e.g. a HTTPS Callable function or with an HTTP request) the code of this Function will be executed on the server side and only the resulting data would be sent back to the Angular app (client side).

Renaud Tarnec
  • 79,263
  • 10
  • 95
  • 121
  • Thanks for answering me.. In that case, what if i am not using firestore, like if i am using SQL? How should i login to read/write DB? Since it need credential to read & write. – Jerry May 31 '18 at 09:54
  • To login, if you are using Firebase, use the Firebase Authentication mechanism (that you mention in your question). The doc is here: https://firebase.google.com/docs/auth/web/start. And, after authentication, you authorize users through security rules (see my answer). If the question in your comment is how to Authenticate from an angular app to an SQL database, I would kindly suggest that you ask a new question since it is somehow out of the scope of this Firebase related question. – Renaud Tarnec May 31 '18 at 09:58
  • Note that, in addition to my comment, I have slightly updated the answer accordingly. – Renaud Tarnec May 31 '18 at 10:01
  • Thanks Renaud, i will open another post.. Your answer is very clear to understand :) – Jerry May 31 '18 at 15:18
  • Glad I could help! – Renaud Tarnec May 31 '18 at 15:20